V Tue, May 31, 2022 at 04:25:28PM +0200, Alexander Sosedkin napsal(a):
> On Tue, May 31, 2022 at 4:09 PM Petr Pisar <ppi...@redhat.com> wrote:
> >
> > V Tue, May 31, 2022 at 03:51:26PM +0200, Alexander Sosedkin napsal(a):
> > > On Tue, May 31, 2022 at 3:45 PM Petr Pisar <ppi...@redhat.com> wrote:
> > > >
> > > > V Tue, May 31, 2022 at 02:56:56PM +0200, Alexander Sosedkin napsal(a):
> > > > > On Tue, May 31, 2022 at 12:28 PM Vitaly Zaitsev via devel
> > > > > <devel@lists.fedoraproject.org> wrote:
> > > > > > On 31/05/2022 10:21, Petr Pisar wrote:
> > > > > > > Not in current F37 FUTURE policy the user tested.
> > > > > >
> > > > > > Yes. If the new F37 cryptographic policy considers RSA-2048 to be 
> > > > > > weak,
> > > > > > it should be reverted.
> > > > >
> > > > > The actual proposal is in the OP.
> > > > >
> > > > > Not only there's no such thing as "new F37 policy" happening,
> > > > > the F39 DEFAULT does allow RSA-2048,
> > > > > and this is spelled out upfront in the proposal text in the OP.
> > > > > RSA-3072 is only the minimum for the opt-in FUTURE policy,
> > > > > which has been the case since at least F28.
> > > > >
> > > > I'm sorry. You are right that the key length limit won't change.
> > > >
> > > > Probably what confused us is this sentence:
> > > >
> > > >     Test your setup with FUTURE today and file bugs so you won't get 
> > > > bit by
> > > >     Fedora 38-39.
> > > >
> > > > That's obviously incorect because current FUTURE is not equvialent to 
> > > > the
> > > > proposed DEFAULT. I recommend you to reword the testing procedure so 
> > > > that
> > > > people are not bitten by this discrepancy.
> > > >
> > > > Maybe you should prepare a policy DEFAULT-F39, package it into current 
> > > > Fedora,
> > > > and ask people to test DEFAULT-F39 instead of FUTURE or FUTURE:SHA1.
> > >
> > > That'd be TEST-FEDORA39, mentioned as an alternative in the same sentence:
> > >
> > > > Install crypto-policies-scripts package and switch to a more 
> > > > restrictive policy
> > > > with either update-crypto-policies --set FUTURE or 
> > > > update-crypto-policies --set TEST-FEDORA39.
> > >
> > > I chose to suggest them in this particular order
> > > in hopes of bringing the world a tad closer to the FUTURE and not just
> > > F39 DEFAULT.
> > >
> > > Should I drop it?
> >
> > That would be great. If this change is about SHA-1, I would only keep
> > TEST-FEDORA39 in the Change page.
> >
> > If you want to promote FUTURE, you can keep a small notice at the end of How
> > To Test section that people who want to sense security of far future, can 
> > try
> > FUTURE policy. But make sure that it's written in an obvious way that FUTURE
> > is out of scope of this Change.
> 
> Fair.
> Deprioritized testing FUTURE, warned that it's not gonna become defaults
> and made TEST-FEDORA39 more prominent:
> https://fedoraproject.org/w/index.php?title=Changes%2FStrongCryptoSettings3Forewarning1&type=revision&diff=646390&oldid=646384
> https://fedoraproject.org/w/index.php?title=Changes%2FStrongCryptoSettings3Forewarning2&type=revision&diff=646391&oldid=646385

Great.

-- Petr

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to